Help - Search - Members - Calendar
Full Version: INTEGITOR.EXE and TESTFILE keep coming back!?
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Ace_NoOne
Oct 17 2005, 05:44 PM
Hello there,

for several months now, I've been having problem with two files which keep (re-)appearing in my CD image folder (=> not a frequently used folder or even a system directory): INTEGITOR.EXE (used to appear as NVSVC.EXE until a few weeks/months ago) and TESTFILE (0 KB).
If I delete these files, they'll be there again after a few days (though only when I'm online, it seems; I'm on dial-up).
H+BEDV's AntiVir Guard recognized it as W32/Stanit, at other times as WORM/Gaobot.108032.9, but couldn't effectively remove it. Neither could a number of other anti-virus scanners, among them HijackThis and Stinger.

This issue is truly driving me insane, so I'd greatly appreciate some helpful hints!
Mosaic1
Oct 17 2005, 05:54 PM
Hi Ace NoOne,


Post a hijackthis log please. Download and then extract Hijackthis.exe to a new folder. Do not run it from the zip the desktop or a temp folder.

Here's a link:
http://www.merijn.org/files/hijackthis.zip

Do not remove anything using HijackThis. Save the log and then copy and paste the contents into your next reply here in this same topic. It lists many types of entries. Some are good, and others need to be removed. We will help you sort it out.

------


Post a startuplist too please. In Hijackthis press the Config Button
Click Misc Tools
Check both boxes next to the Generate StartupList log and then click the generate startuplist log button.

Paste the contents into your next reply here.
Ace_NoOne
Oct 18 2005, 06:12 AM
Here's my current HJT log. However, since this issue has been bugging me for quite a while already, I've done this many times and have already removed a couple of entries in the past few weeks/months. Unfortunately, I wasn't wise enough to keep the logs though... OMG.gif
QUOTE
Logfile of HijackThis v1.99.1
Scan saved at 22:04:46, on 17.10.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\ANTIVIR\AVGUARD.EXE
D:\AntiVir\AVWUPSRV.EXE
D:\Cisco VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Microsoft IntelliType Pro\type32.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\MinimizeToTrayMenu.exe
D:\WinKey\WinKey.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\NETTRA~1\NTIEHelper.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - Startup: autostart query.lnk = C:\WINDOWS\system32\wscript.exe
O4 - Startup: MinimizeToTrayMenu.lnk = D:\MinimizeToTrayMenu.exe
O4 - Startup: todo.memo
O4 - Startup: WinKey.lnk = D:\WinKey\WinKey.exe
O8 - Extra context menu item: Download all by Net Transport - D:\NetTransport\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\NetTransport\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\ANTIVIR\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\AntiVir\AVWUPSRV.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Cisco VPN Client\cvpnd.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I can't find anything suspicious there; I know what pretty much all of the entries mean - except for the IDriverT.exe maybe.
Yet, take a look at the last entry: NVSVC32.EXE looks pretty similar to "my" malware's former name, NVSVC.EXE - coincidence? Intentional to hide the virus?
Mosaic1
Oct 18 2005, 02:25 PM
C:\WINDOWS\System32\nvsvc32.exe >>> That's a driver for your video. The nasty probably did name theirs to confuse us.

todo.memo Is this something you set up yourself?


O4 - Startup: autostart query.lnk = C:\WINDOWS\system32\wscript.exe
This is suspicious. I wonder if they have replaced the real wscript.exe

Please go into your system32 folder and find wscript.exe
Right click on it and click on Send to > Compressed

I would like a copy for analysis so I can better help you.
Please send the newly created zipped file as an email attachment to me here:
Katie_3232AThotmail.com

Replace the AT with an @ for the email address to work.
I'll see what we can find out.
-------

This one can be fixed using hijackthis. It is a leftover from a Crash you had in the past.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

-------


Post a startuplist too please. In Hijackthis press the Config Button
Click Misc Tools
Check both boxes next to the Generate StartupList log and then click the generate startuplist log button.

Paste the contents into your next reply here.
Ace_NoOne
Oct 19 2005, 06:25 AM
QUOTE
C:\WINDOWS\System32\nvsvc32.exe >>> That's a driver for your video. The nasty probably did name theirs to confuse us.
Yeah, that's what I thought.
QUOTE
todo.memo Is this something you set up yourself?
Yup, just a little plain-text file.
QUOTE
O4 - Startup: autostart query.lnk = C:\WINDOWS\system32\wscript.exe
This is suspicious. I wonder if they have replaced the real wscript.exe
No, that's a VBS script I wrote myself (it asks whether a certain program should be launched). So that should be clean.
QUOTE
This one can be fixed using hijackthis. It is a leftover from a Crash you had in the past.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
Okay, good to know.
QUOTE
Post a startuplist too please.
I can do that when come home this evening. Though I can assure you there's nothing suspicious in there; I'm pretty anal about the startup list and always make sure there are only a few items in there (StartupCPL is a pretty good tool for that btw).

I've performed scans with a number of other tools (AVIRA Removal Tool 2.0, VcleanerVcleaner), and none of them could find anything either. That might be because I'd deleted the two files immediately though.
Still, they usually come back, so if they do, I'll run some scans before I delete them - that should give us some clues.
However, they might not be coming back at all: I've restored the original hosts using Hoster, and though I failed to keep a copy of the original settings, it looked like it had changed something. So maybe the hosts had been set up so those malware files were downloaded automatcally whenever I went online - and that should be eliminated now.

Either way, thanks A LOT(!) for your help, and I will report back as soon as I know more (i.e. either if the malware files come back - or, preferably, if they didn't return for a few weeks).
Mosaic1
Oct 19 2005, 01:14 PM
What is your home page?
What is your Firewall Situation?
There are other steps and if it comes back, we can persue them.
Two other utilities to look at load points:



Please download silentrunners.zip
http://www.silentrunners.org/Silent%20Runners.zip

Unzip to your desktop and double click on the VBS file.
If your get a message about a malicious script, please allow the script to run. It is a diagnostic tool.

The script will save a Notepad document to your Desktop.

Copy and paste the contents of that text file into your next reply.
------
Download Autoruns from this page:
http://www.sysinternals.com/Utilities/Autoruns.html

Unzip to a folder and the double click on autoruns.exe

Wait until the program has finished running (the status line will show 'Ready')
Under the 'Options' menu, make sure that 'Include Empty Sections' is checked.
Wait again until ready.

Be sure the 'Everything' tab is selected.
Select 'File -> Save' and save the output file.

Copy the contents of the Autoruns text file and post its contents in your next reply here.



Yuo can either run these now, or if it reappears later.

Also:

Download Rootkitreveal
http://www.sysinternals.com/utilities/rootkitrevealer.html


Extract rootkitreveal

Double click on rootkit revealer and press scan.

It will take some time to do a complete scan. When finished press file/save and post the contents of the log please.
Mosaic1
Oct 19 2005, 01:47 PM
You said you were on dial-up.

This service seems to be installed with a dsl modem.
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe


Is your AV alerting you to these files being created? If so, and since there soi no sign of them running, I wonder what is dropping them. Is this coming from your Network? I would definitely look at security.
Ace_NoOne
Oct 19 2005, 01:52 PM
Thanks, I'll look into those tools.

As for the AVM service: My ISDN card is from AVM, and I have their Fritz! software installed - so that should be fine (though I have to admit I don't know what this particular item actually does).
Ace_NoOne
Oct 19 2005, 05:34 PM
Okay, I've performed the scans with these tools, and here are the results:

RootkitReveal
QUOTE
HKLM\SOFTWARE\DeterministicNetworks\DNE\Parameters\SymbolicLinkValue 24.04.2005 12:32 132 bytes Hidden from Windows API.
F:\System Volume Information\_restore{0437AA9E-EAB7-4968-80C9-49A9845ECB0D}\RP15\A0005135.exe 23.09.2005 16:23 113.00 KB Visible in Windows API, but not in MFT or directory index.
F:\System Volume Information\_restore{0437AA9E-EAB7-4968-80C9-49A9845ECB0D}\RP15\A0005497.exe 26.08.2005 15:12 105.50 KB Visible in Windows API, but not in MFT or directory index.

With the last two entries, H+BEDV AntiVir Guard gave me the following warnings:
QUOTE
19.10.2005,19:19:47 [WARNUNG]  Enthält Code des Windows-Virus W32/Stanit!
  F:\SYSTEM VOLUME INFORMATION\_RESTORE{0437AA9E-EAB7-4968-80C9-49A9845ECB0D}\RP15\A0005135.EXE
      [INFO]  Die Datei wurde in das Quarantäneverzeichnis verschoben!
19.10.2005,19:20:28 [WARNUNG]  Enthält Signatur des Wurmes WORM/Gaobot.108032.9!
  F:\SYSTEM VOLUME INFORMATION\_RESTORE{0437AA9E-EAB7-4968-80C9-49A9845ECB0D}\RP15\A0005497.EXE
      [INFO]  Die Datei wurde in das Quarantäneverzeichnis verschoben!
Are those just the remnants of the files I'd deleted? Or might they be hiding there?

SilentRunners (plain-text file; remove the .JPG ending)

AutoRuns (plain-text file; remove the .JPG ending)
Mosaic1
Oct 19 2005, 07:06 PM
Those two are in your Restore points and that should be cleaned out because if you need to use a restore point, you will get those files back again.

Once you do flush the restore points, you will not be able to correct any problems you may have now by going back to a point before today.


To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

-------------

When you post logs, please copy and paste the contents of the logs into your reply here. The autoruns is very hard to read.
Please copy nbad paste the autoruns into your next reply. Thanks.
I read the silent Runners:
Did you want Active Desktop Turned off? You have this set in the registry.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoActiveDesktop"=dword:00000001
Ace_NoOne
Oct 23 2005, 01:17 PM
Okay, I've removed those restore points.

I didn't paste the log files directly into the posting because I thought it would be, well, too much. Anyways, here we go:
(Looks like that §$%&#! is now gone though; I've been online for a few hours now, and the files didn't return yet.)
QUOTE (SilentRunners)
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"type32" = ""C:\Programme\Microsoft IntelliType Pro\type32.exe"" [MS]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "D:\Adobe Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]
{C56CB6B0-0D96-11D6-8C65-B2868B609932}\(Default) = "NTIECatcher Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "D:\NETTRA~1\NTIEHelper.DLL" ["Xi"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}" = "NTFS-Sicherheit"
  -> {CLSID}\InProcServer32\(Default) = "rshx32_5.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
  -> {CLSID}\InProcServer32\(Default) = "D:\SmartFTP\smarthook.dll" ["SmartFTP"]
"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile"
  -> {CLSID}\InProcServer32\(Default) = "D:\Siemens Data Suite\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile ContextMenuHandler"
  -> {CLSID}\InProcServer32\(Default) = "D:\Siemens Data Suite\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile PropertySheetHandler"
  -> {CLSID}\InProcServer32\(Default) = "D:\Siemens Data Suite\DES\DESShellExt.dll" ["Siemens AG"]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
  -> {CLSID}\InProcServer32\(Default) = "D:\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msvdm.dll" [null data]
"{F2185E5D-720E-4956-90D9-75F6AC141575}" = "Idea2 SidebarIconHandler Class"
  -> {CLSID}\InProcServer32\(Default) = "D:\Desktop Sidebar\sbhelp.dll" [file not found]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\OpenOffice\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "D:\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
  -> {CLSID}\InProcServer32\(Default) = "D:\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
  -> {CLSID}\InProcServer32\(Default) = "D:\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Common Files\Microsoft Shared\Office11\MSOXMLMF.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
  -> {CLSID}\InProcServer32\(Default) = "D:\AntiVir\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WhoLockMe\(Default) = "{81ED7E40-2DE4-47ae-91CA-C3E8E8E98E22}"
  -> {CLSID}\InProcServer32\(Default) = "D:\WhoLockMe\WhoLockMe.dll" ["Bitmind"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
  -> {CLSID}\InProcServer32\(Default) = "D:\AntiVir\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WhoLockMe\(Default) = "{81ED7E40-2DE4-47ae-91CA-C3E8E8E98E22}"
  -> {CLSID}\InProcServer32\(Default) = "D:\WhoLockMe\WhoLockMe.dll" ["Bitmind"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoActiveDesktop"=dword:00000001
[disables Active Desktop; removes Web tab from Display Properties|
Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop disabled via Group Policy.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Frederik\Eigene Dateien\Eigene Bilder\Supreme Commander.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Frederik" & "All Users" startup folders:
----------------------------------------------------------

C:\Dokumente und Einstellungen\Frederik\Startmenü\Programme\Autostart
"AllToTray" -> shortcut to: "D:\AllToTray\AllToTray.exe" ["DNTSoft"]
"autostart query" -> shortcut to: "C:\WINDOWS\system32\wscript.exe D:\autostart_query.vbs" [MS]
INFECTION WARNING! "todo.memo" [null data]
"WinKey" -> shortcut to: "D:\WinKey\WinKey.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
D:\NetLimiter\nl_lsp.dll [null data], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, ""D:\ANTIVIR\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""D:\AntiVir\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Cisco Systems, Inc. VPN Service, CVPND, ""D:\Cisco VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
FRITZ!fax Color Port Monitor\Driver = "FritzColorPort.dll" ["AVM Berlin GmbH"]
FRITZ!fax Port Monitor\Driver = "FritzPort.dll" ["AVM Berlin GmbH"]
SSGB3 Langmon\Driver = "Ssgb3mon.dll" ["Samsung Electronics."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 252 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 21 seconds.
---------- (total run time: 656 seconds)

QUOTE (AutoRuns)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 
+ C:\WINDOWS\system32\userinit.exe Userinit-Anmeldeanwendung Microsoft Corporation c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 
+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
+ KernelFaultCheck Windows Error Reporting Dump Reporting Tool Microsoft Corporation c:\windows\system32\dumprep.exe
+ Logitech Utility Logitech Launcher Application Logitech Inc. c:\windows\logi_mwx.exe
+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ type32 Type32.exe Microsoft Corporation c:\programme\microsoft intellitype pro\type32.exe
C:\Dokumente und Einstellungen\Frederik\Startmenü\Programme\Autostart 
+ AllToTray.lnk Minimize To Tray DNTSoft d:\alltotray\alltotray.exe
+ autostart query.lnk Microsoft ® Windows Based Script Host Microsoft Corporation c:\windows\system32\wscript.exe
+ todo.memo  c:\dokumente und einstellungen\frederik\startmenü\programme\autostart\todo.memo
+ WinKey.lnk  d:\winkey\winkey.exe
HKLM\System\CurrentControlSet\Services 
+ AntiVirService Permanenter Virenschutz mit der H+BEDV AntiVir Suchengine. H+BEDV Datentechnik GmbH d:\antivir\avguard.exe
+ AudioSrv Verwaltet Audiogeräte für Windows-basierte Programme. Wenn dieser Dienst beendet wird, werden Audiogeräte und -effekte nicht korrekt funktionieren. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abhängigen Dienste nicht gestartet werden können. Microsoft Corporation c:\windows\system32\svchost.exe
+ AVWUpSrv Hilfsdienst fuer AntiVir Personal Edition. H+BEDV Datentechnik GmbH, Germany d:\antivir\avwupsrv.exe
+ Browser Führt eine aktuelle Liste der Computer im Netzwerk und gibt diese an als Browser fungierende Computer weiter. Diese Liste wird nicht aktualisiert oder gewartet, falls der Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem ausschließlich Dienst abhängig sind, nicht mehr gestartet werden. Microsoft Corporation c:\windows\system32\svchost.exe
+ CryptSvc Stellt drei Verwaltungsdienste bereit: den Katalogdatenbankdienst, der die Signaturen von Windows-Dateien bestätigt; den Dienst für geschützten Stammspeicher, der Zertifikate vertrauenswürdiger Stammzertifizierungsstellen zu diesem Computer hinzufügt und entfernt und den Schlüsseldienst, der diesen Computer bei Einschreibungen in  Zertifikate unterstützt. Wenn dieser Dienst beendet wird, werden diese Verwaltungsdienste nicht korrekt funktionieren.  Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abhängigen Dienste nicht gestartet werden können. Microsoft Corporation c:\windows\system32\svchost.exe
+ CVPND Cisco Systems VPN Client Cisco Systems, Inc. d:\cisco vpn client\cvpnd.exe
+ Dhcp Verwaltet die Netzwerkkonfiguration, indem IP-Adressen und DNS-Namen registriert und aktualisiert werden. Microsoft Corporation c:\windows\system32\svchost.exe
+ Dnscache Wertet DNS-Namen (Domain Name System) für diesen Computer aus und speichert sie zwischen. Falls dieser Dienst beendet wird, kann der Computer keine DNS-Namen auflösen und Active Directory-Domänencontroller ermitteln. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden. Microsoft Corporation c:\windows\system32\svchost.exe
+ Eventlog Ermöglicht die Ansicht von Ereignisprotokollmeldungen von Windows-basierten Programmen und Komponenten in der Ereignisanzeige. Dieser Dienst kann nicht beendet werden. Microsoft Corporation c:\windows\system32\services.exe
+ helpsvc Aktiviert das Hilfe- und Supportcenter auf diesem Computer. Das Hilfe- und Supportcenter ist nicht verfügbar, wenn dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden. Microsoft Corporation c:\windows\system32\svchost.exe
+ HidServ Ermöglicht einen Standardeingabezugang für Eingabegeräte (HID-Geräte), welcher die Verwendung von vordefinierten Schnelltasten auf Tastaturen, Fernbedienungen und anderen Multimediageräten aktiviert und unterstützt. Wenn dieser Dienst beendet wird, werden die von diesem Dienst gesteuerten Schnelltasten nicht mehr funktionieren. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abhängigen Dienste nicht gestartet werden können. Microsoft Corporation c:\windows\system32\svchost.exe
+ lanmanserver Unterstützt Datei-, Drucker- und Named-Piped-Freigabe für diesen Computer über das Netzwerk. Diese Funktionen sind nicht mehr verfügbar, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden. Microsoft Corporation c:\windows\system32\svchost.exe
+ lanmanworkstation Erstellt und wartet Clientnetzwerkverbindungen mit Remoteservern. Diese Verbindungen sind nicht mehr verfügbar, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden. Microsoft Corporation c:\windows\system32\svchost.exe
+ LmHosts Ermöglicht die Unterstützung vom NetBIOS-über-TCP/IP-Dienst (NetBT) und die NetBIOS-Namensauflösung. Microsoft Corporation c:\windows\system32\svchost.exe
+ NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\windows\system32\nvsvc32.exe
+ PlugPlay Ermöglicht dem Computer, Hardwareänderungen zu erkennen und sich ohne oder mit geringer Benutzerinteraktion darauf einzustellen. Beenden oder Deaktivieren dieses Dienstes wird die Systemstabilität beeinträchtigen. Microsoft Corporation c:\windows\system32\services.exe
+ PolicyAgent Verwaltet IP-Sicherheitsrichtlinien und startet den IKE-Treiber (ISAKMP/Oakley) und den IP-Sicherheitstreiber. Microsoft Corporation c:\windows\system32\lsass.exe
+ ProtectedStorage Bietet geschützten Speicherplatz für private Daten, wie z. B. private Schlüssel, um Zugriff durch nicht autorisierte Dienste, Prozesse oder Benutzer zu unterbinden. Microsoft Corporation c:\windows\system32\lsass.exe
+ RpcSs Endpunktzuordnung und andere verschiedene RPC-Dienste. Microsoft Corporation c:\windows\system32\svchost.exe
+ SamSs Speichert Sicherheitsinformationen für lokale Benutzerkonten. Microsoft Corporation c:\windows\system32\lsass.exe
+ seclogon Ermöglicht das Starten von Prozessen unter Verwendung alternativer Anmeldeinformationen. Wenn dieser Dienst beendet wird, wird diese Art der Anmeldung nicht mehr zur Verfügung stehen. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abhängigen Dienste nicht gestartet werden können. Microsoft Corporation c:\windows\system32\svchost.exe
+ SENS Verfolgt Systemereignisse wie Windows-Anmeldungen sowie Netzwerk- und Stromversorgungsereignisse.  Benachrichtigt außerdem COM+ Ereignissystembezieher von diesen Ereignissen. Microsoft Corporation c:\windows\system32\svchost.exe
+ ShellHWDetection Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
+ Spooler Lädt die Dateien in den Arbeitsspeicher, um sie später zu drucken. Microsoft Corporation c:\windows\system32\spoolsv.exe
+ srservice Führt Systemwiederherstellungsfunktionen durch. Deaktivieren Sie "Systemwiederherstellung" auf der Systemwiederherstellungsregisterkarte in Arbeitsplatz->Eigenschaften, um den Dienst zu beenden. Microsoft Corporation c:\windows\system32\svchost.exe
+ stisvc Bietet Bilderfassungsdienste für Scanner und Kameras. Microsoft Corporation c:\windows\system32\svchost.exe
+ Themes Stellt die Designverwaltung zur Verfügung. Microsoft Corporation c:\windows\system32\svchost.exe
+ TrkWks Hält Verknüpfungen für NTFS-Dateien auf einem Computer oder zwischen Computern in einer Netzwerkdomäne aufrecht. Microsoft Corporation c:\windows\system32\svchost.exe
+ uploadmgr Verwaltet synchrone und asynchrone Dateiübertragungen zwischen Clients und Servern im Netzwerk. Synchrone und asynchrone Dateiübertragungen zwischen Clients und Servern werden nicht ausgeführt, wenn dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden. Microsoft Corporation c:\windows\system32\svchost.exe
+ WebClient Ermöglicht Windows-basierten Programmen, Internet-basierte Dateien zu erstellen, darauf zuzugreifen und sie zu verändern. Wenn dieser Dienst beendet wird, werden diese Funktionen nicht mehr zur Verfügung stehen. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abhängigen Dienste nicht gestartet werden können. Microsoft Corporation c:\windows\system32\svchost.exe
+ winmgmt Bietet eine standardmäßige Schnittstelle und Objektmodell zum Zugreifen auf Verwaltungsinformationen über das Betriebssystem, Geräte, Anwendungen und Dienste. Die meiste Windows-basierte Software kann nicht ordnungsgemäß ausgeführt werden, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden. Microsoft Corporation c:\windows\system32\svchost.exe
+ WmdmPmSp Ermittelt die Seriennummer aller tragbaren Musikabspielgeräte, die an den Computer angeschlossen sind. Microsoft Corporation c:\windows\system32\svchost.exe
+ wuauserv Aktiviert den Download und die Installation von Windows-Updates. Der Computer kann automatische Updates oder die Windows Update-Website nicht verwenden, falls der Dienst deaktiviert wird. Microsoft Corporation c:\windows\system32\svchost.exe
+ WZCSVC Bietet automatische Konfiguration für 802.11-Adapter. Microsoft Corporation c:\windows\system32\svchost.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components 
+ Adressbuch 6 Bibliothek für Outlook Setup Microsoft Corporation c:\programme\outlook express\setup50.exe
+ Browseranpassungen Microsoft Internet Explorer-Anpassungs-DLL Microsoft Corporation c:\windows\system32\iedkcs32.dll
+ Internet Explorer Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe
+ Internet Explorer 6 IE 5.0 Per-User Install Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe
+ Microsoft Outlook Express 6 Bibliothek für Outlook Setup Microsoft Corporation c:\programme\outlook express\setup50.exe
+ Microsoft Windows Media Player 6.4 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ Microsoft Windows Media Player 8 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ NetMeeting 3.01 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ Outlook Express Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe
+ Themes Setup Microsoft© Registerserver Microsoft Corporation c:\windows\system32\regsvr32.exe
+ Windows Desktop-Update Microsoft© Registerserver Microsoft Corporation c:\windows\system32\regsvr32.exe
+ Windows Media Player Microsoft Windows Media Player-Installationsdienstprogramm Microsoft Corporation c:\windows\inf\unregmp2.exe
+ Windows Messenger ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler 
+ Browseui preloader Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Component Categories cache daemon Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 
+ CDBurn Allgemeine Windows-Shell-DLL Microsoft Corporation c:\windows\system32\shell32.dll
+ PostBootReminder Allgemeine Windows-Shell-DLL Microsoft Corporation c:\windows\system32\shell32.dll
+ SysTray Systray-Shell-Serviceobjekt Microsoft Corporation c:\windows\system32\stobject.dll
+ WebCheck Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks 
+ shell32.dll Allgemeine Windows-Shell-DLL Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved 
+ %DESC_PublishDropTarget% Fotodruck-Assistent Microsoft Corporation c:\windows\system32\photowiz.dll
+ &Adresse Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ &Nach Personen... Personen suchen Microsoft Corporation c:\programme\outlook express\wabfind.dll
+ .CAB file viewer Shellerweiterung von Kabinettdatei-Viewer Microsoft Corporation c:\windows\system32\cabview.dll
+ Accessible Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ ActiveX-Cacheordner Object Control Viewer Microsoft Corporation c:\windows\system32\occache.dll
+ Address EditBox Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Aktenkoffer Windows Aktenkoffer Microsoft Corporation c:\windows\system32\syncui.dll
+ Audio Media Properties Handler Extrahierungsshellerweiterung der Mediendateieigenschaften Microsoft Corporation c:\windows\system32\shmedia.dll
+ Augmented Shell Folder Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Augmented Shell Folder 2 Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Ausführen... Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Auto Update Property Sheet Extension Systemsteuerungsoption für Automatische Updates Microsoft Corporation c:\windows\system32\wuaucpl.cpl
+ BandProxy Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Benutzerkonten Netzlaufwerke zuordnen/Assistent für Netzwerkressourcen Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Bestellung von Abzügen über das Internet Netzlaufwerke zuordnen/Assistent für Netzwerkressourcen Microsoft Corporation c:\windows\system32\netplwiz.dll
+ CDF Extension Copy Hook Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Channel Menu Viewer für Channeldefinitionsdatei Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Properties Viewer für Channeldefinitionsdatei Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channeldatei Viewer für Channeldefinitionsdatei Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channelhandlerobjekt Viewer für Channeldefinitionsdatei Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channelverknüpfung Viewer für Channeldefinitionsdatei Microsoft Corporation c:\windows\system32\cdfview.dll
+ CloneCD CloseTray Elaborate Bytes d:\clonecd\elbyvcdshell.dll
+ Code Download Agent Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ Compressed (zipped) Folder Right Drag Handler ZIP-komprimierte Ordner Microsoft Corporation c:\windows\system32\zipfldr.dll
+ Compressed (zipped) Folder SendTo Target ZIP-komprimierte Ordner Microsoft Corporation c:\windows\system32\zipfldr.dll
+ ConnectionAgent Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ CPL-Erweiterung für Anzeigeverschiebung  File not found: deskpan.dll
+ CPL-Erweiterung für Bildschirme Erweiterte Eigenschaften des Bildschirms Microsoft Corporation c:\windows\system32\deskmon.dll
+ CPL-Erweiterung für Grafikkarten Erweiterte Eigenschaften der Grafikkarte Microsoft Corporation c:\windows\system32\deskadp.dll
+ Custom MRU AutoCompleted List Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Darwin App Publisher Shellanwendungs-Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ Desktop Explorer NVIDIA Desktop Explorer, Version 61.77  NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 61.77  NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Desktop Manager  c:\windows\system32\msvdm.dll
+ Developer Studio Components Microsoft® Developer Studio Explorer Shell-Erweiterungen Microsoft Corporation d:\microsoft visual studio\common\msdev98\bin\ide\devxpgl.dll
+ DfsShell DFS-Shellerweiterung Microsoft Corporation c:\windows\system32\dfsshlex.dll
+ Directory Context Menu Verbs Gemeinsame Benutzeroberfläche des Verzeichnisdienstes Microsoft Corporation c:\windows\system32\dsuiext.dll
+ Directory Object Find Verzeichnisdienstsuche Microsoft Corporation c:\windows\system32\dsquery.dll
+ Directory Property UI Gemeinsame Benutzeroberfläche des Verzeichnisdienstes Microsoft Corporation c:\windows\system32\dsuiext.dll
+ Directory Query UI Verzeichnisdienstsuche Microsoft Corporation c:\windows\system32\dsquery.dll
+ Directory Start/Search Find Verzeichnisdienstsuche Microsoft Corporation c:\windows\system32\dsquery.dll
+ Disk Quota UI Windows Shell-Datenträgerkontingent-UI-DLL Microsoft Corporation c:\windows\system32\dskquoui.dll
+ Display TroubleShoot CPL Extension Erweiterte Anzeigeeigenschaften Microsoft Corporation c:\windows\system32\deskperf.dll
+ Download Status Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Druckersicherheit Sicherheitserweiterung der Shell Microsoft Corporation c:\windows\system32\rshx32.dll
+ DS-Sicherheit Sicherheitsbenutzeroberfläche des Verzeichnisdienstes Microsoft Corporation c:\windows\system32\dssec.dll
+ E-Mail Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Eigenschaften für Multimediadatei Treiber-Systemsteuerungsoption Microsoft Corporation c:\windows\system32\mmsys.cpl
+ Erweiterung für Datenträgerkopien Windows DiskCopy Microsoft Corporation c:\windows\system32\diskcopy.dll
+ Erweiterung für HyperTerminal-Icons HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll
+ Explorer-Band Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Favorites Band Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ FTP Folders Webview Microsoft Internet Explorer FTP-Ordnershellerweiterung Microsoft Corporation c:\windows\system32\msieftp.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ GDI+ Dateiminiaturansicht-Extrahierungsprogramm Windows Bild- und Faxanzeige Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Geplante Tasks Schnittstellen-DLL für Taskplaner Microsoft Corporation c:\windows\system32\mstask.dll
+ Global Folder Settings Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Hilfe und Support Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Hilfe und Support Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ HTML-Extrahierungsprogramm Windows Bild- und Faxanzeige Microsoft Corporation c:\windows\system32\shimgvw.dll
+ ICC-Profil DLL der Benutzeroberfläche für Microsoft Color Matching Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM-Druckerverwaltung DLL der Benutzeroberfläche für Microsoft Color Matching Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM-Monitorverwaltung DLL der Benutzeroberfläche für Microsoft Color Matching Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM-Scannerverwaltung DLL der Benutzeroberfläche für Microsoft Color Matching Microsoft Corporation c:\windows\system32\icmui.dll
+ Idea2 SidebarIconHandler Class  File not found: D:\Desktop Sidebar\sbhelp.dll
+ IE4 Suite-Begrüßungsbildschirm Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ In-pane search Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Installed Apps Enumerator Shellanwendungs-Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ IntelliType Pro Key Settings Control Panel Property Page itcplkey Microsoft Corporation c:\programme\microsoft intellitype pro\itcplkey.dll
+ IntelliType Pro Scrolling Control Panel Property Page itcplwhl Microsoft Corporation c:\programme\microsoft intellitype pro\itcplwhl.dll
+ IntelliType Pro Wireless Control Panel Property Page itcplwir Microsoft Corporation c:\programme\microsoft intellitype pro\itcplwir.dll
+ Internet Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Internet Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Internet Name Space Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ InternetShortcut Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ ISFBand OC Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Kompatibilitätsseite Shellerweiterungs-DLL für Registerkarte "Kompatibilität" Microsoft Corporation c:\windows\system32\slayerxp.dll
+ Krypto-PKO-Erweiterung Krypto-Shellerweiterungen Microsoft Corporation c:\windows\system32\cryptext.dll
+ Krypto-Sign-Erweiterung Krypto-Shellerweiterungen Microsoft Corporation c:\windows\system32\cryptext.dll
+ Media Band Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Agent Character Property Sheet Handler Microsoft Agent Property Sheet Handler Microsoft Corporation c:\windows\msagent\agentpsh.dll
+ Microsoft AutoComplete Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Browser Architecture Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Microsoft BrowserBand Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Datenverknüpfung Microsoft Data Access - OLE DB Core Services Microsoft Corporation c:\programme\gemeinsame dateien\system\ole db\oledb32.dll
+ Microsoft DocProp Inplace Calendar Control Microsoft DocProp-Shellerweiterung Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Droplist Combo Control Microsoft DocProp-Shellerweiterung Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Edit Box Control Microsoft DocProp-Shellerweiterung Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace ML Edit Box Control Microsoft DocProp-Shellerweiterung Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Time Control Microsoft DocProp-Shellerweiterung Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Shell Ext Microsoft DocProp-Shellerweiterung Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft History AutoComplete List Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Internet Toolbar Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Multiple AutoComplete List Container Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Office HTML Icon Handler Microsoft Office XP component Microsoft Corporation d:\microsoft office\office10\msohev.dll
+ Microsoft Shell Folder AutoComplete List Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Url Sucheingriff Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Microsoft URL-Verlauf-Dienst Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Midi Properties Handler Extrahierungsshellerweiterung der Mediendateieigenschaften Microsoft Corporation c:\windows\system32\shmedia.dll
+ MMC Icon Handler MMC Shell Extension DLL Microsoft Corporation c:\windows\system32\mmcshext.dll
+ Mobile DESShellExt Module Siemens AG d:\siemens data suite\des\desshellext.dll
+ Mobile ContextMenuHandler DESShellExt Module Siemens AG d:\siemens data suite\des\desshellext.dll
+ Mobile PropertySheetHandler DESShellExt Module Siemens AG d:\siemens data suite\des\desshellext.dll
+ MRU AutoComplete List Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ MyDocs Copy Hook Benutzeroberfläche des Verzeichnisses "Eigene Dateien" Microsoft Corporation c:\windows\system32\mydocs.dll
+ MyDocs Drop Target Benutzeroberfläche des Verzeichnisses "Eigene Dateien" Microsoft Corporation c:\windows\system32\mydocs.dll
+ MyDocs Properties Benutzeroberfläche des Verzeichnisses "Eigene Dateien" Microsoft Corporation c:\windows\system32\mydocs.dll
+ Netzwerkverbindungen Shell für Netzwerkverbindungen Microsoft Corporation c:\windows\system32\netshell.dll
+ Netzwerkverbindungen Shell für Netzwerkverbindungen Microsoft Corporation c:\windows\system32\netshell.dll
+ NTFS-Sicherheit Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32_5.dll
+ NvCpl DesktopContext Class NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 61.77  NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Offline Files Folder Options Clientseitige Cachebenutzeroberfläche Microsoft Corporation c:\windows\system32\cscui.dll
+ Offline Files Menu Clientseitige Cachebenutzeroberfläche Microsoft Corporation c:\windows\system32\cscui.dll
+ OLE-Eigenschaftenseite für Dokumente OLE-Eigenschaftenseite für Dokumente Microsoft Corporation c:\windows\system32\docprop.dll
+ OpenOffice Property Sheet Handler  Sun Microsystems, Inc. d:\openoffice\program\shlxthdl.dll
+ Ordner 'Offlinedateien' Clientseitige Cachebenutzeroberfläche Microsoft Corporation c:\windows\system32\cscui.dll
+ Passport-Assistent Netzlaufwerke zuordnen/Assistent für Netzwerkressourcen Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Play on my TV helper NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ PlusPack CPL Extension Windows-Design-API Microsoft Corporation c:\windows\system32\themeui.dll
+ PostAgent Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ Registered ActiveX Controls Microsoft® Developer Studio Explorer Shell-Erweiterungen Microsoft Corporation d:\microsoft visual studio\common\msdev98\bin\ide\devxpgl.dll
+ Registry Tree Options Utility Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Remote Sessions CPL Extension CPL-Erweiterung für Remotesitzungen Microsoft Corporation c:\windows\system32\remotepg.dll
+ Scanner und Kameras Shellordner-Benutzeroberfläche für Imaging-Geräte Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanner und Kameras Shellordner-Benutzeroberfläche für Imaging-Geräte Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanner und Kameras Shellordner-Benutzeroberfläche für Imaging-Geräte Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanner und Kameras Shellordner-Benutzeroberfläche für Imaging-Geräte Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanner und Kameras Shellordner-Benutzeroberfläche für Imaging-Geräte Microsoft Corporation c:\windows\system32\wiashext.dll
+ Schriftarten Windows Schriftarten-Ordner Microsoft Corporation c:\windows\system32\fontext.dll
+ Schriftarten Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Search Assistant OC Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Search Band Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Sendmail service E-Mail senden Microsoft Corporation c:\windows\system32\sendmail.dll
+ Sendmail service E-Mail senden Microsoft Corporation c:\windows\system32\sendmail.dll
+ Set Program Access and Defaults Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Shell Application Manager Shellanwendungs-Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ Shell Automation Inproc Service Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Shell Band Site Menu Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DeskBar Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DeskBarApp Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DocObject Viewer Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions RealNetworks, Inc. d:\real alternative\rpshell.dll
+ Shell Image Data Factory Windows Bild- und Faxanzeige Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell Image Property Handler Windows Bild- und Faxanzeige Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell Image Verbs Windows Bild- und Faxanzeige Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell properties for a DS object Verzeichnisdienstsuche Microsoft Corporation c:\windows\system32\dsquery.dll
+ Shell Rebar BandSite Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell-Datenauszughandler Shell-Datenauszughandler Microsoft Corporation c:\windows\system32\shscrap.dll
+ Shellerweiterung für Webdrucker DLL für die Druckerbenutzeroberfläche Microsoft Corporation c:\windows\system32\printui.dll
+ Shellerweiterungen für Freigaben Shellerweiterungen für Freigaben Microsoft Corporation c:\windows\system32\ntshrui.dll
+ Shellerweiterungen für Freigaben Shellerweiterungen für Freigaben Microsoft Corporation c:\windows\system32\ntshrui.dll
+ Shellerweiterungen für Microsoft Windows-Netzwerkobjekte Shellbenutzeroberfläche für das Netzwerkobjekt Microsoft Corporation c:\windows\system32\ntlanui2.dll
+ Shellerweiterungen für Windows Script Host Microsoft ® Shell Extension for Windows Script Host Microsoft Corporation c:\windows\system32\wshext.dll
+ Shellobjekt des Webpublishing-Assistenten Netzlaufwerke zuordnen/Assistent für Netzwerkressourcen Microsoft Corporation c:\windows\system32\netplwiz.dll
+ SmartFTP Shell Extension DLL SmartFTP Shell Extension SmartFTP d:\smartftp\smarthook.dll
+ Subscription Folder Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ Subscription Mgr Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ Suchen Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Syntaxanalyse der Adressleiste Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Taskleiste und Startmenü Allgemeine Windows-Shell-DLL Microsoft Corporation c:\windows\system32\shell32.dll
+ Tasks Folder Icon Handler Schnittstellen-DLL für Taskplaner Microsoft Corporation c:\windows\system32\mstask.dll
+ Tasks Folder Shell Extension Schnittstellen-DLL für Taskplaner Microsoft Corporation c:\windows\system32\mstask.dll
+ Temporary Internet Files Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Temporary Internet Files Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Track Popup Bar Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ TrayAgent Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ TridentImageExtractor Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ User Assist Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ Verlauf Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Verwaltung Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Video Media Properties Handler Extrahierungsshellerweiterung der Mediendateieigenschaften Microsoft Corporation c:\windows\system32\shmedia.dll
+ Video Thumbnail Extractor Extrahierungsshellerweiterung der Mediendateieigenschaften Microsoft Corporation c:\windows\system32\shmedia.dll
+ Wav Properties Handler Extrahierungsshellerweiterung der Mediendateieigenschaften Microsoft Corporation c:\windows\system32\shmedia.dll
+ Web Search Shell Browser UI-Bibliothek Microsoft Corporation c:\windows\system32\browseui.dll
+ WebCheck Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheck SyncMgr Handler Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheckChannelAgent Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheckWebCrawler Websiteüberwachung Microsoft Corporation c:\windows\system32\webcheck.dll
+ Webordner Microsoft Web Folders Microsoft Corporation c:\programme\gemeinsame dateien\microsoft shared\web folders\mson-- The nicest hobby on Earth ;) --t.dll
+ Webpublishing-Assistent Netzlaufwerke zuordnen/Assistent für Netzwerkressourcen Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Windows Media Player Add to Playlist Context Menu Handler Windows Media Player-Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ Windows Media Player Burn Audio CD Context Menu Handler Windows Media Player-Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ Windows Media Player Play as Playlist Context Menu Handler Windows Media Player-Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ WinRAR shell extension  d:\winrar\rarext.dll
+ ZIP-komprimierter Ordner ZIP-komprimierte Ordner Microsoft Corporation c:\windows\system32\zipfldr.dll
+ Zusammenfassungs-Miniaturansichthandler (DOCFILES) Windows Bild- und Faxanzeige Microsoft Corporation c:\windows\system32\shimgvw.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated d:\adobe reader\activex\acroiehelper.dll
+ Google Toolbar Helper Google IE Client Toolbar Google Inc. c:\programme\google\googletoolbar1.dll
+ NTIECatcher Class Net Transport IE Helper Module Xi d:\nettransport\ntiehelper.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks 
+ shdocvw.dll Bibliothek für Shell-Dokumente und -Steuerelemente Microsoft Corporation c:\windows\system32\shdocvw.dll
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute 
+ autocheck autochk * Automatisches Prüfprogramm Microsoft Corporation c:\windows\system32\autochk.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 
+ Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls 
+ advapi32 Erweitertes Windows 32 Base-API Microsoft Corporation c:\windows\system32\advapi32.dll
+ comdlg32 DLL für gemeinsame Dialoge Microsoft Corporation c:\windows\system32\comdlg32.dll
+ DllDirectory  c:\windows\system32
+ gdi32 GDI Client DLL Microsoft Corporation c:\windows\system32\gdi32.dll
+ imagehlp Windows NT Image Helper Microsoft Corporation c:\windows\system32\imagehlp.dll
+ kernel32 Client-DLL für Windows NT-Basis-API Microsoft Corporation c:\windows\system32\kernel32.dll
+ lz32 LZ Expand/Compress API DLL Microsoft Corporation c:\windows\system32\lz32.dll
+ ole32 Microsoft OLE für Windows Microsoft Corporation c:\windows\system32\ole32.dll
+ oleaut32 Microsoft OLE 3.50  for Windows NT™ and Windows 95™ Operating Systems Microsoft Corporation c:\windows\system32\oleaut32.dll
+ olecli32 OLE-Clientbibliothek Microsoft Corporation c:\windows\system32\olecli32.dll
+ olecnv32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olecnv32.dll
+ olesvr32 Object Linking and Embedding Server Library Microsoft Corporation c:\windows\system32\olesvr32.dll
+ olethk32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olethk32.dll
+ rpcrt4 Remote Procedure Call Runtime Microsoft Corporation c:\windows\system32\rpcrt4.dll
+ shell32 Allgemeine Windows-Shell-DLL Microsoft Corporation c:\windows\system32\shell32.dll
+ url Shell-Erweiterungs-DLL für Internetverknüpfung Microsoft Corporation c:\windows\system32\url.dll
+ urlmon OLE32-Erweiterung für Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ user32 Client-DLL für Windows XP USER-API Microsoft Corporation c:\windows\system32\user32.dll
+ version Version Checking and File Installation Libraries Microsoft Corporation c:\windows\system32\version.dll
+ wininet Interneterweiterungen für Win32 Microsoft Corporation c:\windows\system32\wininet.dll
+ wldap32 Win32 LDAP-API-DLL Microsoft Corporation c:\windows\system32\wldap32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 
+ cscdll Offlinenetzwerk-Agent Microsoft Corporation c:\windows\system32\cscdll.dll
+ ScCertProp Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ Schedule Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ termsrv Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ wlballoon Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
HKCU\Control Panel\Desktop\Scrnsave.exe 
+ C:\WINDOWS\System32\logon.scr Anmeldebildschirmschoner Microsoft Corporation c:\windows\system32\logon.scr
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{128A5184-C415-4228-8AA4-3529A0E1902B}] DATAGRAM 6 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{128A5184-C415-4228-8AA4-3529A0E1902B}] SEQPACKET 6 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{2674B94D-0834-4D1C-B523-3F50E7FF4EC6}] DATAGRAM 0 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{2674B94D-0834-4D1C-B523-3F50E7FF4EC6}] SEQPACKET 0 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{5093180B-060B-4307-8DD5-6808F8AEE8D7}] DATAGRAM 3 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{5093180B-060B-4307-8DD5-6808F8AEE8D7}] SEQPACKET 3 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{700E264A-CB06-48B2-B0E7-C263603CD904}] DATAGRAM 5 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{700E264A-CB06-48B2-B0E7-C263603CD904}] SEQPACKET 5 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{8318E184-DD42-41A0-9105-53D79FC6FC58}] DATAGRAM 2 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{8318E184-DD42-41A0-9105-53D79FC6FC58}] SEQPACKET 2 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9F751840-7722-4EB8-BB91-084534346082}] DATAGRAM 1 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9F751840-7722-4EB8-BB91-084534346082}] SEQPACKET 1 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{A4B33D10-87BB-414E-919A-8572E290EBAA}] DATAGRAM 4 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{A4B33D10-87BB-414E-919A-8572E290EBAA}] SEQPACKET 4 Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0-Dienstanbieter Microsoft Corporation c:\windows\system32\mswsock.dll
+ NL LSP  d:\netlimiter\nl_lsp.dll
+ NL MSAFD Tcpip [RAW/IP]  d:\netlimiter\nl_lsp.dll
+ NL MSAFD Tcpip [TCP/IP]  d:\netlimiter\nl_lsp.dll
+ NL MSAFD Tcpip [UDP/IP]  d:\netlimiter\nl_lsp.dll
+ NL RSVP TCP Service Provider  d:\netlimiter\nl_lsp.dll
+ NL RSVP UDP Service Provider  d:\netlimiter\nl_lsp.dll
+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
Mosaic1
Oct 23 2005, 03:13 PM
Thanks. It was much easier reading those reports this way.

You look good.

You can use Msconfig>Startups and uncheck KernelFaultCheck
It is put there after a crash and is not needed now.


It appears you have a policy set up to keep the Wallpaper fom being changed. Is that the case and did you want that there?


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoActiveDesktop"=dword:00000001
[disables Active Desktop; removes Web tab from Display Properties|
Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]



HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Frederik\Eigene Dateien\Eigene Bilder\Supreme Commander.bmp"
Ace_NoOne
Oct 23 2005, 03:25 PM
QUOTE
You can use Msconfig>Startups and uncheck KernelFaultCheck
It is put there after a crash and is not needed now.
Done. :)
QUOTE
t appears you have a policy set up to keep the Wallpaper fom being changed. Is that the case and did you want that there?

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoActiveDesktop"=dword:00000001
[disables Active Desktop; removes Web tab from Display Properties|
Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Frederik\Eigene Dateien\Eigene Bilder\Supreme Commander.bmp"
Well, that is my wallpaper. And since I'm pretty anal about my no-frills approach (see above - I didn't even have any wallpaper until I stumbled across that awesome screenshot a few weeks ago), I also have Active Desktop deactivated. But keeping the wallpaper from being changed - who (or what) would change it other than me?!
Mosaic1
Oct 23 2005, 03:36 PM
That was my error. That just removes the Web tab from the Properties and so no active desktop changes can be made using it.

You still do retain your ability to change the desktop wallpaper using Display Properties.
Ace_NoOne
Oct 27 2005, 02:31 PM
§$%&#!
I was pretty sure that ****er was gone - but I just checked the disc images folder again, and there they are: INTEGITOR.EXE and TESTFILE.
If I could, I'd just trash the HDD - unfortunately, there are too many important files on it...

Interestingly, AntiVir did not sound any alerts when I had it scan that folder, meaning that this seems to be a newer version of the virus!?

I haven't deleted the two files yet, just in case someone wants them for diagnosis!?
What if I just rename the folder, e.g. from "disc images" to "fu" - maybe that confuses this bastard cuz it can't find its favorite folder anymore... (I know that's pathetic - plus it might make the virus just harder to find - but I'm desperate)

Here's the latest HJT log, for whatever it's worth:
QUOTE
Logfile of HijackThis v1.99.1
Scan saved at 16:18:10, on 27.10.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\ANTIVIR\AVGUARD.EXE
D:\AntiVir\AVWUPSRV.EXE
D:\Cisco VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Microsoft IntelliType Pro\type32.exe
D:\RBTray\RBTray.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\WinKey\WinKey.exe
D:\AntiVir\AVGNT.EXE
C:\Dokumente und Einstellungen\Frederik\Desktop\virus removal\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\NETTRA~1\NTIEHelper.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - Startup: autostart query.lnk = C:\WINDOWS\system32\wscript.exe
O4 - Startup: RBTray.lnk = D:\RBTray\RBTray.exe
O4 - Startup: todo.memo
O4 - Startup: WinKey.lnk = D:\WinKey\WinKey.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download all by Net Transport - D:\NetTransport\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\NetTransport\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\ANTIVIR\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\AntiVir\AVWUPSRV.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Cisco VPN Client\cvpnd.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Mosaic1
Oct 27 2005, 03:53 PM
May I have a copy of those files please? Create a new folder. Copy the files into that new folder and then right click on that folder and click send to >Compressed on the menu.



Please send the newly created zipped file as an email attachment to me here:
Katie_3232AThotmail.com

Replace the AT with an @ for the email address to work.
I'll see what we can find out.


I'll see if any of the other scanners picks it up.

Autoruns has had an update recently and so has Rootkit Reveal. Do a new download of each program and run those please. Post the results.
-------------------

Now for the other logs.

Download Antihookexec.zip from this link:
http://www.security.org.sg/code/AntiHookExec.zip


on this page:
http://www.security.org.sg/code/antihookexec.html


Extract antihookexec.exe
to the same folder from which you run Hijackthis:

C:\Dokumente und Einstellungen\Frederik\Desktop\virus removal


Go to start> run
Type cmd.exe

Press enter

When the prompt opens Copy this next command and then right click in the window and click paste on the menu.

cd "C:\Dokumente und Einstellungen\Frederik\Desktop\virus removal"

Press enter.

Now do the same for this command:

antihookexec hijackthis

This will start, hopefully, an unhooked hijackthis.

Create a log and post that please.

Then do not close Hijackthis. Immediately create a startuplist like this:
In Hijackthis press the Config Button
Click Misc Tools
Check both boxes next to the Generate StartupList log and then click the generate startuplist log button.

Paste the contents into your next reply here.
Mosaic1
Oct 27 2005, 04:00 PM
Also, what is the exact path to your CD Image Folder please?
Ace_NoOne
Oct 30 2005, 10:12 AM
I've sent the files to your mail address a few days ago - let's hope they didn't get intercepted... !?

My CD image folder is F:\disc images\.

Here's the unhooked HJT log (new AutoRuns and Rootkit Reveal logs will follow soon):
QUOTE
Logfile of HijackThis v1.99.1
Scan saved at 11:09:46, on 30.10.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AntiVir\AVWUPSRV.EXE
D:\Cisco VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Microsoft IntelliType Pro\type32.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\RBTray\RBTray.exe
D:\AntiVir\AVGNT.EXE
D:\WinKey\WinKey.exe
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\system32\winlogon.exe
D:\Discountsurfer\_discountsurfer.exe
D:\ANTIVIR\AVGUARD.EXE
D:\Mozilla\Firefox\firefox.exe
D:\WinRAR\WinRAR.exe
C:\WINDOWS\System32\cmd.exe
C:\Dokumente und Einstellungen\Frederik\Desktop\virus removal\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\NETTRA~1\NTIEHelper.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - Startup: autostart query.lnk = C:\WINDOWS\system32\wscript.exe
O4 - Startup: RBTray.lnk = D:\RBTray\RBTray.exe
O4 - Startup: todo.memo
O4 - Startup: WinKey.lnk = D:\WinKey\WinKey.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download all by Net Transport - D:\NetTransport\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\NetTransport\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{700E264A-CB06-48B2-B0E7-C263603CD904}: NameServer = 62.104.191.241 62.104.196.134
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\ANTIVIR\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\AntiVir\AVWUPSRV.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Cisco VPN Client\cvpnd.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

And the startuplist:
QUOTE
StartupList report, 30.10.2005, 11:10:23
StartupList version: 1.52.2
Started from : C:\Dokumente und Einstellungen\Frederik\Desktop\virus removal\hijackthis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AntiVir\AVWUPSRV.EXE
D:\Cisco VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Microsoft IntelliType Pro\type32.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\RBTray\RBTray.exe
D:\AntiVir\AVGNT.EXE
D:\WinKey\WinKey.exe
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\system32\winlogon.exe
D:\Discountsurfer\_discountsurfer.exe
D:\ANTIVIR\AVGUARD.EXE
D:\Mozilla\Firefox\firefox.exe
D:\WinRAR\WinRAR.exe
C:\WINDOWS\System32\cmd.exe
C:\Dokumente und Einstellungen\Frederik\Desktop\virus removal\hijackthis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Dokumente und Einstellungen\Frederik\Startmenü\Programme\Autostart]
autostart query.lnk = C:\WINDOWS\system32\wscript.exe
RBTray.lnk = D:\RBTray\RBTray.exe
todo.memo
WinKey.lnk = D:\WinKey\WinKey.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

type32 = "C:\Programme\Microsoft IntelliType Pro\type32.exe"
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Logitech Utility = Logi_MwX.Exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: not hidden (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: not hidden (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registrierungs-Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - D:\Adobe Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\programme\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - D:\NETTRA~1\NTIEHelper.DLL - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: D:\NetLimiter\nl_lsp.dll
Protocol #2: D:\NetLimiter\nl_lsp.dll
Protocol #3: D:\NetLimiter\nl_lsp.dll
Protocol #4: D:\NetLimiter\nl_lsp.dll
Protocol #5: D:\NetLimiter\nl_lsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\rsvpsp.dll
Protocol #10: C:\WINDOWS\system32\rsvpsp.dll
Protocol #11: D:\NetLimiter\nl_lsp.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI-Treiber: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel-Echounterdrückung: system32\drivers\aec.sys (manual start)
Umgebung für die AFD-Netzwerkunterstützung: \SystemRoot\System32\drivers\afd.sys (autostart)
Warndienst: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Gatewaydienst auf Anwendungsebene: %SystemRoot%\System32\alg.exe (manual start)
AMD K7-Prozessortreiber: System32\DRIVERS\amdk7.sys (system)
AntiVir Service: "D:\ANTIVIR\AVGUARD.EXE" (autostart)
Anwendungsverwaltung: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Aspi32: System32\drivers\aspi32.sys (autostart)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
Asynchroner RAS -Medientreiber: System32\DRIVERS\asyncmac.sys (manual start)
Standard-IDE/ESDI-Festplattencontroller: System32\DRIVERS\atapi.sys (system)
Protokoll für ATM ARP-Client: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audiostubtreiber: System32\DRIVERS\audstub.sys (manual start)
avgntdw: \??\D:\ANTIVIR\AVGNTDW.SYS (manual start)
AVMCOWAN: System32\DRIVERS\AVMCOWAN.sys (manual start)
AVM NDIS WAN CAPI-Treiber: System32\DRIVERS\avmwan.sys (manual start)
AntiVir Update: "D:\AntiVir\AVWUPSRV.EXE" (autostart)
Intelligenter Hintergrundübertragungsdienst: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computerbrowser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM-Laufwerktreiber: System32\DRIVERS\cdrom.sys (system)
Indexdienst: C:\WINDOWS\System32\cisvc.exe (manual start)
Ablagemappe: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+-Systemanwendung: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Kryptografiedienste: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Cisco Systems VPN Adapter: System32\DRIVERS\CVirtA.sys (manual start)
Cisco Systems, Inc. VPN Service: "D:\Cisco VPN Client\cvpnd.exe" (autostart)
Cisco Systems Inc. IPSec Driver: \??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys (autostart)
d344bus: System32\DRIVERS\d344bus.sys (system)
d344prt: System32\Drivers\d344prt.sys (system)
AVM FRITZ!web Routing Service: C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe (manual start)
DHCP-Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Laufwerktreiber: System32\DRIVERS\disk.sys (system)
Verwaltungsdienst für die Verwaltung logischer Datenträger: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Verwaltung logischer Datenträger: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel-DLS-Synthesizer: system32\drivers\DMusic.sys (manual start)
Deterministic Network Enhancer Miniport: System32\DRIVERS\dne2000.sys (manual start)
DNS-Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel-DRM-Audioentschlüsselung: system32\drivers\drmkaud.sys (manual start)
ElbyCDFL: System32\Drivers\ElbyCDFL.sys (manual start)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
Fehlerberichterstattungsdienst: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Edisonsoft ES-620 USB Infrared Adapter: System32\DRIVERS\ES-620.sys (manual start)
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
Ereignisprotokoll: %SystemRoot%\system32\services.exe (autostart)
COM+-Ereignissystem: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Kompatibilität für schnelle Benutzerumschaltung: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Diskettencontrollertreiber: System32\DRIVERS\fdc.sys (manual start)
Diskettenlaufwerktreiber: System32\DRIVERS\flpydisk.sys (manual start)
FRITZ!Card PCI: System32\DRIVERS\fpcibase.sys (manual start)
Treiber für Volume-Manager: System32\DRIVERS\ftdisk.sys (system)
Gameport-Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GDTdiInterceptor: \??\C:\WINDOWS\System32\drivers\GDTdiIcpt.sys (autostart)
Standardpaketklassifizierung: System32\DRIVERS\msgpc.sys (manual start)
Hilfe und Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class-Treiber: System32\DRIVERS\hidusb.sys (manual start)
i8042-Tastatur- und PS/2-Mausanschluss-Treiber: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe (manual start)
Filtertreiber für CD-Brennen: System32\DRIVERS\imapi.sys (system)
IMAPI-CD-Brenn-COM-Dienste: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6-Firewalltreiber: System32\DRIVERS\Ip6Fw.sys (manual start)
IPv6-Internetverbindungsfirewall: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Filtertreiber für IP-Verkehr: System32\DRIVERS\ipfltdrv.sys (manual start)
IP/IP-Tunneltreiber: System32\DRIVERS\ipinip.sys (manual start)
Übersetzer für IP-Netzwerkadressen: System32\DRIVERS\ipnat.sys (manual start)
IPSEC-Treiber: System32\DRIVERS\ipsec.sys (system)
IR-Enumeratordienst: System32\DRIVERS\irenum.sys (manual start)
PnP-ISA/EISA-Bus-Treiber: System32\DRIVERS\isapnp.sys (system)
Tastaturklassentreiber: System32\DRIVERS\kbdclass.sys (system)
Tastatur-HID-Treiber: System32\DRIVERS\kbdhid.sys (system)
kbeepm: \??\C:\DOKUME~1\Frederik\LOKALE~1\Temp\kbeepm.sys (manual start)
Microsoft Kernel-Waveaudiomixer: system32\drivers\kmixer.sys (manual start)
Logitech PS/2 Mouse Filter Driver: System32\Drivers\l8042pr2.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Arbeitsstationsdienst: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logitech HID/USB Mouse Filter Driver: System32\DRIVERS\LHidFlt2.Sys (manual start)
Logitech USB Receiver device driver: System32\Drivers\LHidUsb.Sys (manual start)
TCP/IP-NetBIOS-Hilfsprogramm: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech Mouse Class Filter Driver: System32\Drivers\LMouFlt2.sys (manual start)
Nachrichtendienst: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting-Remotedesktop-Freigabe: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mausklassentreiber: System32\DRIVERS\mouclass.sys (system)
Maus-HID-Treiber: System32\DRIVERS\mouhid.sys (manual start)
Redirector für WebDav-Client: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft IR Communications Driver: System32\DRIVERS\MSIRCOMM.sys (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Proxy für Streaming Clock: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Macronix MX987xx der Fast Ethernet-NT-Treiberfamilie: System32\DRIVERS\mxnic.sys (manual start)
RAS-NDIS-TAPI-Treiber: System32\DRIVERS\ndistapi.sys (manual start)
NDIS-Benutzermodus-E/A-Protokoll: System32\DRIVERS\ndisuio.sys (manual start)
RAS-NDIS-WAN-Treiber: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS-Schnittstelle: System32\DRIVERS\netbios.sys (system)
NetBios über TCP/IP: System32\DRIVERS\netbt.sys (system)
Netzwerk-DDE-Dienst: %SystemRoot%\system32\netdde.exe (manual start)
Netzwerk-DDE-Serverdienst: %SystemRoot%\system32\netdde.exe (manual start)
AVM FRITZ!web PPP over ISDN: System32\DRIVERS\NETFRITZ.SYS (manual start)
Anmeldedienst: %SystemRoot%\System32\lsass.exe (manual start)
Netzwerkverbindungen: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NLA (Network Location Awareness): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Netzwerkmonitortreiber: System32\DRIVERS\NMnt.sys (manual start)
NT-LM-Sicherheitsdienst: %SystemRoot%\System32\lsass.exe (manual start)
Wechselmedien: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Filtertreiber für IPX-Verkehr: System32\DRIVERS\nwlnkflt.sys (manual start)
Treiber für IPX-Verkehrsweiterleitung: System32\DRIVERS\nwlnkfwd.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug & Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC-Dienste: %SystemRoot%\System32\lsass.exe (autostart)
Parallel Port Joystick Bus device driver: system32\drivers\PPJoyBus.sys (manual start)
Parallel Port Joystick device driver: system32\drivers\PPortJoy.sys (manual start)
WAN-Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Prozessortreiber: System32\DRIVERS\processr.sys (system)
StarForce Protection Environment Driver v6: \SystemRoot\System32\drivers\prodrv06.sys (system)
StarForce Protection Helper Driver v2: System32\drivers\prohlp02.sys (system)
Geschützter Speicher: %SystemRoot%\system32\lsass.exe (autostart)
QoS-Paketplaner: System32\DRIVERS\psched.sys (manual start)
Treiber für direkte Parallelverbindung: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Treiber für automatische RAS-Verbindung: System32\DRIVERS\rasacd.sys (system)
Verwaltung für automatische RAS-Verbindung: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN-Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN-Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
RAS-Verbindungsverwaltung: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remotezugriff-PPPOE-Treiber: System32\DRIVERS\raspppoe.sys (manual start)
Parallelanschluss (direkt): System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Sitzungs-Manager für Remotedesktophilfe: C:\WINDOWS\system32\sessmgr.exe (manual start)
Filtertreiber für digitale CD-Audiowiedergabe: System32\DRIVERS\redbook.sys (system)
Routing und RAS: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
RPC-Locator: %SystemRoot%\System32\locator.exe (manual start)
Remoteprozeduraufruf (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS-RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
SaiH8000: System32\DRIVERS\SaiH8000.sys (manual start)
SaiMini: System32\DRIVERS\SaiMini.sys (manual start)
SaiNtBus: system32\drivers\SaiNtBus.sys (manual start)
Sicherheitskontenverwaltung: %SystemRoot%\system32\lsass.exe (autostart)
Smartcard-Hilfsprogramm: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smartcard: %SystemRoot%\System32\SCardSvr.exe (manual start)
Taskplaner: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Sekundäre Anmeldung: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Systemereignisbenachrichtigung: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum-Filtertreiber: System32\DRIVERS\serenum.sys (manual start)
Treiber für seriellen Anschluss: System32\DRIVERS\serial.sys (system)
StarForce Protection Environment Driver (version 1.x): System32\drivers\sfdrv01.sys (system)
StarForce Protection Helper Driver: System32\drivers\sfhlp01.sys (system)
StarForce Protection Helper Driver (version 2.x): System32\drivers\sfhlp02.sys (system)
StarForce Protection VFS Driver (version 2.x): System32\drivers\sfvfs02.sys (system)
Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shellhardwareerkennung: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sony USB-Filtertreiber (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel-Audiosplitter: system32\drivers\splitter.sys (manual start)
Druckwarteschlange: %SystemRoot%\system32\spoolsv.exe (autostart)
Filtertreiber für Systemwiederherstellung: System32\DRIVERS\sr.sys (system)
Systemwiederherstellungsdienst: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP-Suchdienst: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSHDRV65: \??\C:\WINDOWS\System32\drivers\SSHDRV65.sys (system)
Windows-Bilderfassung (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software-Bus-Treiber: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetablesynthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B805A97E-0D40-4FDA-950E-0770599834F1} (manual start)
Microsoft Kernel-Systemaudiogerät: system32\drivers\sysaudio.sys (manual start)
Leistungsdatenprotokolle und Warnungen: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telefonie: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP-Protokolltreiber: System32\DRIVERS\tcpip.sys (system)
Terminal-Gerätetreiber: System32\DRIVERS\termdd.sys (system)
Terminaldienste: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Designs: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Thrustmapper Device Enumerator: system32\drivers\TMBUS.sys (manual start)
TMHIDSRV: System32\DRIVERS\TMHIDF.sys (manual start)
Thrustmapper virtual Keyboard device driver: system32\drivers\TMKEmu.sys (manual start)
Thrustmapper virtual Mouse device driver: system32\drivers\TMMEmu.sys (manual start)
Überwachung verteilter Verknüpfungen (Client): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Updatetreiber: System32\DRIVERS\update.sys (manual start)
Upload-Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universeller Plug & Play-Gerätehost: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Unterbrechungsfreie Stromversorgung: %SystemRoot%\System32\ups.exe (manual start)
Microsoft Standard-USB-Haupttreiber: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB-Standardhubtreiber: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB-Druckerklasse: System32\DRIVERS\usbprint.sys (manual start)
USB-Scannertreiber: System32\DRIVERS\usbscan.sys (manual start)
Motorola USB Modem Driver: System32\DRIVERS\usbser.sys (manual start)
USB-Massenspeichertreiber: System32\DRIVERS\USBSTOR.SYS (manual start)
Miniporttreiber für universellen Microsoft USB-Hostcontroller: System32\DRIVERS\usbuhci.sys (manual start)
VGA-Anzeigecontroller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP-Bus-Filter: System32\DRIVERS\viaagp.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (manual start)
Volumeschattenkopie: %SystemRoot%\System32\vssvc.exe (manual start)
Windows-Zeitgeber: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
RAS-IP-ARP-Treiber: System32\DRIVERS\wanarp.sys (manual start)
Windows CE USB Serial Host Driver: System32\DRIVERS\wceusbsh.sys (manual start)
Treiber für Microsoft WINMM-WDM-Audiokompatibilität: system32\drivers\wdmaud.sys (manual start)
Webclient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows-Verwaltungsinstrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Seriennummer der tragbaren Medien: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WMI-Leistungsadapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS-Dienstanbieter-Unterstützungsumgebung: \SystemRoot\System32\drivers\ws2ifsl.sys (manual start)
Automatische Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Konfigurationsfreie drahtlose Verbindung: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33.299 bytes
Report generated in 0,125 seconds

Command line options:
  /verbose  - to add additional info on each section
  /complete - to include empty sections and unsuspicious data
  /full    - to include several rarely-important sections
  /force9x  - to include Win9x-only startups even if running on WinNT
  /forcent  - to include WinNT-only startups even if running on Win9x
  /forceall - to include all Win9x and WinNT startups, regardless of platform
  /history  - to list version history only
Mosaic1
Oct 30 2005, 02:48 PM
Thanks. No. I never did get those files. I checked my bulk mail too. If need be, I have a place where you can upload them later.



I see you are still working at another Forum too. I am sorry. I cannot help you here if you are going to continue elsewhere. Let me know if you want to continue here. OF you do. then please go over there and let them know. It is not fair to expect two forums staff to work on the same problem.

Plus a lot of your entries are in German. So are the results of the googles I am doing for some of this. I do not speak German and am at a disadvantage. The translators are terrible.


You do have something new:
D:\Discountsurfer\_discountsurfer.exe


And also I am not sure what this Service is and it didn't show up in your previous Hijackthis log.
Designs: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

We can persue what actual file this is loading under svchost.
Ace_NoOne
Oct 30 2005, 03:51 PM
QUOTE
I see you are still working at another Forum too. I am sorry. I cannot help you here if you are going to continue elsewhere. Let me know if you want to continue here. OF you do. then please go over there and let them know. It is not fair to expect two forums staff to work on the same problem.
Sorry, I never meant to insult anyone.
I started out posting in those German forums - but since this virus was freaking me out and I was pretty much panicking, I asked around where else to get help. So I was told to use these forums instead since people here were much more qualified. And it's pretty obvious that this was some good advice!
Also, the other thread is pretty much dead (the only response is from Oct. 18), and I actually don't expect any replies there.
I hope this clears things up, because I really appreciate your help here and wouldn't like to be seen as "cheating" on you...

As for the German entries - well, I hadn't considered that. Where exactly are such problems (except for the folder names)?

D:\Discountsurfer\_discountsurfer.exe is no danger; it's a low-cost router (I'm on dial-up :/ ).

As for Designs: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart), I don't know what that does either - but that svchost.exe looks familiar, so I would guess that it's been there for quite a while already (whether that's good or not... ).
Mosaic1
Oct 30 2005, 04:13 PM
Ok Good. Thanks. We'll work here. The Divorce is off! LOL

I am about to sign off and go out for a while. In the meantime I am attaching a zip file containing a script. This wil get the file paths for all Services run by svchost.

Actually svchost is legit but it can run any dll set to interface with it. Most XP Services are loaded by this generic host. So until we know what file is being loaded by it, we wont know what's what.

Extract the get svchost.vbs from the zip, to its own folder please. Double click on get svchost.vbs and allow it to run if you get a warning.

When finished it will open a text file. Copy and paste the contents here.
It will tell you the name of the file being loaded for each service whch svchost loads.
Ace_NoOne
Oct 30 2005, 04:22 PM
Okay, cool! Tell them lawyers to rip off another couple... friends.gif

Here's the script's output:
QUOTE
LocalService:
Alerter
C:\WINDOWS\system32\alrsvc.dll

WebClient
C:\WINDOWS\System32\webclnt.dll

LmHosts
C:\WINDOWS\System32\lmhsvc.dll

RemoteRegistry
No File Listed

upnphost
C:\WINDOWS\System32\upnphost.dll

SSDPSRV
C:\WINDOWS\System32\ssdpsrv.dll

NetworkService:
DnsCache
C:\WINDOWS\System32\dnsrslvr.dll

netsvcs:
6to4
No File Listed

AppMgmt
C:\WINDOWS\System32\appmgmts.dll

AudioSrv
C:\WINDOWS\System32\audiosrv.dll

Browser
C:\WINDOWS\System32\browser.dll

CryptSvc
C:\WINDOWS\System32\cryptsvc.dll

DMServer
C:\WINDOWS\System32\dmserver.dll

DHCP
C:\WINDOWS\System32\dhcpcsvc.dll

ERSvc
C:\WINDOWS\System32\ersvc.dll

EventSystem
C:\WINDOWS\System32\es.dll

FastUserSwitchingCompatibility
C:\WINDOWS\System32\shsvcs.dll

HidServ
C:\WINDOWS\System32\hidserv.dll

Ias
No File Listed

Iprip
No File Listed

Irmon
No File Listed

LanmanServer
C:\WINDOWS\System32\srvsvc.dll

LanmanWorkstation
C:\WINDOWS\System32\wkssvc.dll

Messenger
C:\WINDOWS\System32\msgsvc.dll

Netman
C:\WINDOWS\System32\netman.dll

Nla
C:\WINDOWS\System32\mswsock.dll

Ntmssvc
C:\WINDOWS\system32\ntmssvc.dll

NWCWorkstation
No File Listed

Nwsapagent
No File Listed

Rasauto
C:\WINDOWS\System32\rasauto.dll

Rasman
C:\WINDOWS\System32\rasmans.dll

Remoteaccess
C:\WINDOWS\System32\mprdim.dll

Schedule
C:\WINDOWS\system32\schedsvc.dll

Seclogon
C:\WINDOWS\System32\seclogon.dll

SENS
C:\WINDOWS\system32\sens.dll

Sharedaccess
C:\WINDOWS\System32\ipnathlp.dll

SRService
C:\WINDOWS\System32\srsvc.dll

Tapisrv
C:\WINDOWS\System32\tapisrv.dll

Themes
C:\WINDOWS\System32\shsvcs.dll

TrkWks
C:\WINDOWS\system32\trkwks.dll

W32Time
C:\WINDOWS\System32\w32time.dll

WZCSVC
C:\WINDOWS\System32\wzcsvc.dll

Wmi
No File Listed

WmdmPmSp
C:\WINDOWS\System32\mspmspsv.dll

winmgmt
C:\WINDOWS\system32\wbem\WMIsvc.dll

TermService
C:\WINDOWS\System32\termsrv.dll

wuauserv
C:\WINDOWS\System32\wuauserv.dll

BITS
C:\WINDOWS\System32\qmgr.dll

ShellHWDetection
C:\WINDOWS\System32\shsvcs.dll

helpsvc
C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

uploadmgr
C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

Ip6FwHlp
C:\WINDOWS\System32\Ip6FwHlp.dll

rpcss:
RpcSs
C:\WINDOWS\system32\rpcss.dll

imgsvc:
StiSvc
C:\WINDOWS\system32\wiaservc.dll

termsvcs:
TermService
C:\WINDOWS\System32\termsrv.dll
Mosaic1
Oct 30 2005, 04:33 PM
Notice that designs is not there?

Interesting.
I really am late. But do copy Antihookexec.exe to the windows Folder and then run this command from a new comand prompt.

cd %Windir% & antihookexec.exe regedit.exe

Press enter.

DO a search in the registry for designs and see what you come up with.

If you do find anything under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Export the key and post that here please. Put the key inside Code tags please to preserve formatting.


Let's see if blacklight finds anything too.

http://www.f-secure.com/blacklight/try.shtml

Click "I accept" at bottom of page which takes you to download site.
Download the app to the desktop.
Double click it, accept the agreement, make sure "scan through windows explorer IS checked then hit "scan"
It should only take at most 5 minutes.

If any results Don't rename anything yet!
Legit items can be listed along with nasties.
Just hit next> finish.

The log will be created on desktop that starts with fsbl-datetime.log

Please post the log here too.
Mosaic1
Oct 30 2005, 04:38 PM
I am going to go over your Startuplist Service listings more carefully later. There may be something else listed. If I need any translations, I'll ask for your help. See you later and good luck.
Ace_NoOne
Nov 8 2005, 01:44 PM
da**, I thought I had posted the BlackLight log already - but apparently I didn't. Sorry for that!

So here we go:
QUOTE
10/30/05 17:39:53 [Info]: BlackLight Engine 1.0.24 initialized
10/30/05 17:39:53 [Info]: OS: 5.1 build 2600 (Service Pack 1)
10/30/05 17:39:54 [Note]: 4019 4
10/30/05 17:39:54 [Note]: 4005 0
10/30/05 17:40:16 [Note]: 4007 0

And a more recent one:
QUOTE
11/06/05 18:43:28 [Info]: BlackLight Engine 1.0.25 initialized
11/06/05 18:43:28 [Info]: OS: 5.1 build 2600 (Service Pack 1)
11/06/05 18:43:29 [Note]: 4019 4
11/06/05 18:43:29 [Note]: 4005 0
11/06/05 18:55:03 [Note]: 4006 0
11/06/05 18:55:03 [Note]: 4011 1924
11/06/05 18:55:04 [Note]: FSRAW library version 1.7.1013
11/06/05 18:58:36 [Note]: 4006 0
11/06/05 18:58:36 [Note]: 4011 1924
11/06/05 18:58:37 [Note]: FSRAW library version 1.7.1013
11/06/05 19:13:37 [Note]: 4007 0
Mosaic1
Nov 8 2005, 04:49 PM
Did you do the rest? There were other instructoins there too. Hqve the files returned again?
Ace_NoOne
Nov 10 2005, 01:26 PM
Oh, I missed out to report the results from the unhooked registry search... :o

The term "designs" was found only once in HKLM\SYSTEM\CurrentControlSet\Services\:
CODE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Designs"
"Group"="UIGroup"
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,05,00,03,\
 00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00
"Description"="Stellt die Designverwaltung zur Verfügung."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
 73,00,68,00,73,00,76,00,63,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceMain"="ThemeServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Enum]
"0"="Root\\LEGACY_THEMES\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Mosaic1
Nov 11 2005, 01:55 AM
I don't see anything odd there. I am about out of ideas on this one.
Ace_NoOne
Nov 11 2005, 10:10 AM
Exactly, this is some tricky §$%#!
But it hasn't come back again yet, so it might actually be gone after all (though unfortunately, I was misled before... ).

Either way, I'm incredibly grateful for your help and all the effort you've put into this issue!
Mosaic1
Nov 11 2005, 08:09 PM
You're welcome. You have never shown any signs that this infection has run. Also the folder being on the F drive may be why your AV is not picking up on it. Why these files are being put there I don't know. It sounds like a reinfectoin coming from the Network.

Keep looking at it and let me know if it does return.
Ace_NoOne
Dec 18 2005, 05:50 PM
There we go again - this time it's called INSTALL.EXE and AUTORUN.INF (the latter referencing to the former: "[autorun] open=install.exe")...

God, I hate this crap. I'm gonna completely reinstall Windows after Christmas, I guess - I just hope that'll solve the problem (I will have to retain quite a lot of data, after all).
Mosaic1
Dec 18 2005, 11:12 PM
Good luck. You have been clear a while. I wish we had been able to track down how these files are getting bck on the drive.

I'll be away for the holidays. Let me know how the reinstall goes.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.